|
Posted by markholmes on April 29, 2006, 7:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I Have tried for months and spent over $5000 on pc equipment. This
MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.
I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THE
FIRST BOOTUP...I SWEAR. THIS IS AN AMAZING VIRUS.
ANY HELP?
MY SYMPTOMS ARE THE SAME AS YOURS. I'LL POST MY HIJACKTHIS FILE...BUT
IT DOESNT REVEAL ANYTHING. I'M ON A WINDOWS MEDIA COMPUTER...I'VE
RELOADED THE SOFTWARE, REFORMATED...100's OF TIMES OVER THE PAST 6
MONTHS. IT CONTROLS EVERYTHING. CD...FLOPPY...DOS...COMMAND LINE. IT
WILL RUN AN HIDDEN UNINSTALLER RITE NEXT TO YOUR APPLICATION THAT
THREATENS IT. ANTIVIRUS...FIREWALLS...A JOKE!
THIS VIRUS IS EVEN ON MY DADS MACINTOSH. IT HAS DIFFERENT
SYMPTOMS...BUT HE HAS HAD PROFESSIONALS TRY TO FIX IT...WE HAVE BOTTH
SENT OUR COMPUTER IN TO THE PRO'S. THEY CAN'T FIX IT EITHER...THEY SEE
A COMPLETELY DIFFERENT REGISTRY. HOW DO YOU FIX THAT? BUY A NEW
COMPUTER? THE FILES / REGISTRY / COMPUTER YOU BOUGHT ARE NEVER GOING
TO BE THERE....I'M GLAD YOU FIXED YOURS.
I HAVE THOUGHT MINE WAS FIXED. I HAVE DOWNLOADED EVERY TROJAN / VIRUS
PROGRAM KNOWN...YES THEY CLAIM TO FIX THE MANY INFECTIONS ----------
BUT DAYS...WEEKS...THE COMPUTERS GONE!
YOU CAN READ IN THE REGISTRY HOW POWERFUL THIS VIRUS IS...IT HAS
COMPLETE CONTROL OF EVERYTHING. I EVEN THINK IT RUINED MY SONY CLIE
AND HAD CONTROL OF MY HP PRINTER...ANY INFRARED / BLUETOOTH, ETC. IT
ATTACKS.
MY DAD CANNOT STOP HIS MAC FROM BEING A SERVER. ITS A MESS...WE CANT
TERMINATE IT FROM USING ITS AIRPORT SERVICE...AND I'M SURE IT IS A PATH
TO INFECT / REINFECT.
I'M ILL.
PLEASE HELP.
I'VE SEEN OTHER PEOPLE CALL THIS THE TERMINAL SERVICE TROJAN.
IF THIS IS THE BIGGEST THREAT IN PC SECURITY...WHY ISN'T MICROSOFT...OR
THE ANTIVIRUS COMPANIES ALL OVER THIS?
I KNOW THAT NOT TOO MANY PEOPLE ARE INFECTED...BECAUSE IT LITERALLY
RUINES LIVES...I'VE READ A FEW POSTS THAT MAKE MINE SEEM SANE.
ALSO ... AMONG A MILLION THINGS OBVIOUS IN THE REGISTRY (BUT ONLY IN
THE REGISTRY!) PEOPLE MENTION THINGS LIKE WATCHDOG AND TIM BOMB ---
LOTS OF LEGACY STUFF... MOST EVERYTHING IN THE %SYSTEMROOT%...OR SOME
DRIVE LIKE .... HERES ONE FOR A CD....
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\\##?#IDE#CdRomHL-DT-ST_CD-RW_GCE-8527B________________1.01____#5&3aadb0d2&0&0.0.0#
ANYWAY...ALL HELP IS APPRECIATED!
Logfile of HijackThis v1.99.1
Scan saved at 2:32:43 AM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\SSuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://wwww.yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD
& DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition.0\Apps\apdproxy.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
- C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (WUWebControl Class)
- http://tinyurl.com/gxu22
O16 - DPF: (MUWebControl Class)
- http://tinyurl.com/jzkj6
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA,
Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
]-Originally posted by SRGriffin -
*Here are a few more details:
On a compaq laptop I took apart to replace the DVD Drive, among other
things
(Bought it new from Circuit City).
Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security
2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted
directories
containing any .Cab files or other possible installation sources.
Cleaned
registry with "fix-it" default, safe settings.
Connected to direct internet connection to get updates and then
disconnected....
One of the updates automatically downloaded...Virtual PC Update!??
Hidden devices in control panel include: ACPI-Complient Embedded
Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload,
EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some
might
be XP standard ???
SQL Server and ISS appear to be install, but can't update them. IE 4.0
gets
installed and IEAK.
All computers have registry settings for:
Key Name:
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ18040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: 00000000
Type: REG_BINARY
Data: <<Nearly 10kb in data follow>>
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi
Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: Identifier
Type: REG_SZ
Data: FUJITSU MHR2030AT
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: .Raw
Type: REG_RESOURCE_LIST
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTable.ComServersTable.1\CLSID
Data:
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enum
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\EncryptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer
Server
HLM\System\CurrentControlSet\Services\P3\Enum\INITSTARTFAILED ---> 1
<<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Group\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess\Epoch\ <<<No
Sharing
Enabled>>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\
--->xpsp2res.dll,-22019
HLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Parameters\PnpInterface
--> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Well
Known
Guids\AppleTalk \IsoTp \McsXns
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries0000000002\image
==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\parameters\SerivceDll
-->
wuauserv.dll
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://tinyurl.com/e8zax
HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
....\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
.....\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages -->
msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType --->
WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750db0100\e
<<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume&30a96598&0&Signature24DA24D9Offset7E00Length6FC7C0200\Control
HLM\SOFTWARE\ATI Technologies\CDS\System
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir
HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\\Count
HRZR_EHACNGU:::
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings.0\Cache\Extensible Cache\MSHist012005041820050419
Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
Drive 0 (ATA) - Validated
From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
Cylinders = 3648 Tracks = 255 Sectors/track = 63
From controller: 27.944 GB Total sectors = 58605120
Cylinders = 16383 Tracks = 16 Sectors/track = 63
HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n:
NJ36T2915YRW
Supports drive > 137 GB
Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
Host protected area supported & enabled w/48-bit addr. (none used)
Drive & --Starting-- ---Ending--- -------Sectors-------
---Size
in GB-- Clust
Partition ID Sec Hd Cyl Sec Hd Cyl First Total
Total
Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057
27.944
FSv3.1 4K
0-1 00 0 0 0 0 0 0 0 0
0
- -
0-2 00 0 0 0 0 0 0 0 0
0
- -
0-3 00 0 0 0 0 0 0 0 0
0
- -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
3) Media descriptor byte (never below F0h) F8
4) Sectors per track (should match the disk) 63
5) Tracks per cylinder (should match the disk) 255
6) Total sectors from the partition entry 58605057
7) Total sectors from boot (should match partition) 58605056
8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
9) File system ID "NTFS
"
10) Start of the MFT 804864
11) Start of the MFT copy 2098486
12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
13) Clusters per index record (power of 2 or F4h for 4K) 01h
14) Volume label ""
==========================END OF PARTITION
MGR==========================
Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?
"SRGriffin" wrote:
> I have a small network of XP machines, mostly XP Home that appear to
have an
> Sus installation that propages to them. It looks like it installs an
NT or
> 2000 headless boot (maybe XP embedded??) and gives me remote desktop
that
> looks exactly like XP, but has a lot of strange behavior (Looks like
NT or
> 2000 is installed, all devices are legacy, network traffic is
forwarded from
> loopback to "host", don't seem too have full permissions, etc.)
>
> I've been trying to figure this one out for months and keep thinking
I'm
> just paranoid. Not being an XP expert (silicon and systems design)
it took
> me awhile to find all the pieces I'm still sorting out.
>
> I'm DEFINATELY on a remote desktop, SuS is installed, MMC console
appears to
> be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected
and don't
> give me what's really on them or "read them". Downloaded packages
are
> "signed". but the time stamp is off by a year or more, and they
contain
> things they shouldn't.
>
> The USB drivers I downloaded from ViaForum are filled with QFE fills
for
> instance.
>
> Even a Ghost diskwipe doesn't seem to get everything (Thinking it
writes
> stuff into the BIOS DMI).
>
> All virus scans and spyware come back negative, but have realized, at
least
> in some cases, it either kills the app I started (Norton 2005) and
starts an
> older version (Norton 2002) or else it scans a clean part of the disk
only.
> (There's some disk space I can't access and found some code that
looked like
> it would return a "sector error" w/o the key).
>
> I know this sounds like the ultimate paranoid delusion, but I'm sure
it's
> there. Although to be fair, until December when this first started
to become
> obvious, my security inside the firewall was pretty terrible. Since
I had
> tons of development stuff -- compilers, VM Ware, bits of old OSes in
archives
> -- it's possible someone or some program had a lot of time to set all
this
> stuff up. I also had 2003 server on the network, just to install
(and
> thought I had remove all the others from the network), and could have
done
> something then..although nothing intentional and certainly not too
the extent
> that I see (Like NT/2000 files).
>
> My first question is: What's the cleanest way to remove SuS and get
the
> correct CAT files back and being referenced on XP Home? (SFC scan
asks for a
> 2000 disk, which I obviously don't have).
>
> Second question: While this may be just be, I've seen similar
behavior on
> friends computers (although they've all had some sort of contact with
my
> environment). Is there a quick way to detect SuS and some boot
server
> running?
>
> Last Question: Anyone EVER heard of this? Is this a know issue I
just
> haven't been able to find anything about?
>
> I'm happy to share bunches of data with anyone that wants it (or
thinks I'm
> just paranoid;). I'm currently thinking I'll be able to hook the
2003 server
> back up and fix them through group and local policy changes, but it
would be
> nice if there was an easier fix.
>
> Regards,
> SRGriffin *
--
markholmes
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1024236.html
| 
XML site map